The Verizon Data Breach Investigations Report (shortened to DBIR) is an examination of incidents and breaches of cybersecurity in the digital and wireless information sector. The DBIR is conducted by Verizon, a US telecoms provider, and consists of material gathered by the company’s staff or reported by any of Verizon’s 65 partner companies and organisations.
The DBIR has taken place each year over the past decade. The tenth DBIR concluded recently, and its findings were regarded as retreading familiar ground. Nearly 2,000 breaches of cyber security were investigated, and nearly 90 percent of these happened using a tried and tested approach. As the methods of staging attacks were generally familiar, a large number were probably preventable, and the implementation of some cyber hygiene could have been an effective deterrent in many cases.
The DBIR is recognised as solid telecoms research and is eagerly awaited every April. However, in the past few years, the contents of the DBIR have become rather repetitive, as the same problems keep presenting themselves. Many of the same weaknesses in computer and VOIP systems keep presenting themselves as the reasons for attacks. For example, more than 80 per cent of hacking style attacks used passwords that had been stolen or were being reused or passwords that were simply too weak.
No system is completely impervious to breaches, but some basic security systems can make a big difference in deterring would-be hackers. Cyber criminals are often looking for a soft target, and if cyber security is proving to be an obstacle, they will probably move on.
Just as there are some sensible basics in home security, such as locking doors at night and using strong locks, simple cyber security steps include employing two-step verification to enter accounts, and patching software. Many companies and organisations do not have these measures in place, making it far too easy for cybercriminals to get exactly what they want. Lax cybersecurity also makes it too easy for hackers to breach computer and VOIP systems to extract valuable data.
Well, known methods, such as pretexting and phishing, are still claiming victims, and rather than decreasing, these familiar forms of cyber attack are rising. One telecoms expert claimed that the only way to deter staff from opening malicious attachments with emails was to publicise incidents to raise awareness.
On top of the 1,935 breaches that were looked into, the DBIR also examined more than 42,000 occurrences of cyber criminals appearing to have entered a system, but without actually damaging it or stealing data.
Many small businesses were targets of cybercrime in the past year, with more than 60 per cent of breaches taking place at firms with fewer than a thousand staff. In a first, the DBIR also segmented the attacks according to industry, and it appears manufacturing companies are particularly attractive for cybercriminals.
However, one omission that drew some criticism was not including information about breaches of Industrial Control Systems, the mechanisms that keep refineries, chemical plants and factories running. These systems run complexes that can be volatile and produce vital substances, such as petroleum products. They are also used to operate power plants to generate electricity and purify water. Compromising these systems could result in industrial disaster.